1. In a system including a service that is accessed by a user from one or more 
devices with varying input capabilities, a method for associating multiple credentials with a 
single user account such that the user may be authenticated with any one of the multiple 
credentials, the method comprising an authentication system performing acts of: 

receiving an authentication request at the authentication system from a 
device, wherein credentials of the user are included in the authentication request; 

validating the credentials provided by the user, wherein the credentials are 
associated with a single user identifier of the user; 

receiving new credentials from the user, wherein the new credentials are 
associated with the same user identifier of the user; and 

storing the new credentials in a credential store of the authentication system 
such that the authentication system can authenticate the user to the service when the 
user provides any one of the multiple credentials.. 

2. A method as defined in claim 1, wherein the authentication system is a 
distributed authentication system, wherein the act of receiving an authentication request at 
the authentication further comprises an act of determining where to send the credentials for 
validation. 

3. A method as defined in claim 2, wherein the act of determining where to send 
the credentials for validation uses a username of the credentials. 
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4. A method as defined in claim 1 5 wherein the act of receiving new credentials 
from the user further comprises an act of symmetrically associating the new credentials with 
a user identifier. 

5. A method as defined in claim 4, wherein the act of symmetrically associating 
the new credential with a user identifier further comprises an act of associating the new 
credentials with a user account. 

6. A method as defined in claim 4, wherein the act of symmetrically associating 
the new credential with a user identifier further comprises an act of caching a copy of the 
user identifier with the new credential. 

7. A method as defined in claim 1, wherein the act of receiving new credentials 
from the user further comprises an act of asymmetrically associating the new credentials 
with a primary credential, wherein the primary credential is stored in a primary store with 
the user identifier. 
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8. A method as defined in claim 1 ? further comprising one or more of: 

a step for remembering which credential was received in the authentication 
request; 

a step for prompting the user for a more secure credential when the 
credentials received in the authentication request do not meet security requirements 
of the service; and 

a step for providing at least one security measure for each credential 
associated with the user account, wherein the user is not authenticated to a service if 
the security measure of a particular credential is breached or the user account is 
locked. 
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9. In a system that includes multiple services that are accessed by a user over a 
network such as the Internet, wherein the user accesses the multiple services from one or 
more devices that have varying input capabilities, a method for accessing a service from a 
device, the method comprising acts of: 

providing multiple credentials to an authentication service, wherein each of 
the multiple credentials is associated with a user account that is maintained by the 
authentication system; 

requesting access to a service using a device included in the one or more 
devices, wherein the service requires that the user be authenticated before access to 
the service is granted to the user, wherein the device is redirected to the 
authentication system; 

selecting an access credential to send to the authentication system from the 
multiple credentials and entering the access credential in the device; 

issuing an authentication request to an authentication system, wherein the 
authentication request includes the access credential selected by the user; 

receiving an authentication response from the authentication system, wherein 
the authentication response includes a user identifier that authenticates the user to the 
service if the access credential is validated; and 

sending an authenticated request to the service, wherein the authenticated 
request includes the user identifier such that access to the service is obtained. 

10. A method as defined in claim 9, wherein the act of selecting an access 
credential to send to an authentication system from multiple credentials further comprises an 
act of selecting the access credential according to an input capability of the device. 
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11. A method as defined in claim 10, wherein the access credential is a numerical 
credential when the device has numerical input. 



12. A method as defined in claim 9, wherein the service requires a specific level 
of security, the method further comprising: 

an act of requiring the user to provide a secure credential to the authentication 
system that is more secure that the access credential; and 

an act of providing the service with a level of security of the secure credential 
and of the access credential, wherein the service is unaware of both the selected 
credential and the secure credential 



13. A method as defined in claim 9, wherein the authentication system is a 



distributed system and wherein some of the multiple credentials are stored on different 



credential stores, wherein the act of providing multiple credentials to an authentication 
service further comprises one or more of: 



'4 



a step for symmetrically associating the multiple credentials with a user 




identifier, wherein the user identifier is cached with each of the multiple credentials; 



credentials, wherein the user is not authenticated to a service if the security measure 



account, wherein a user account is cached with each of the multiple credentials and 



of a particular credential is breached or the user account is locked. 



a step for symmetrically associating the multiple credentials with a user 



an step for associating a security measure with each of the multiple 
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14. A method as defined in claim 9, wherein the authentication system is a 
distributed system and wherein some of the multiple credentials are stored on different 
credential stores, wherein the act of providing multiple credentials to an authentication 
service further comprises an act of asymmetrically associating the multiple credentials with 
a primary credential, wherein the user identifier is stored with the primary credential. 



ly 
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15. In a system wherein a user is authenticated to multiple services by an 
authentication system, a method for authenticating the user to each of the multiple services 
when the user accesses the multiple services with one or more devices that have different 
input capabilities, the method comprising acts of: 

validating a credential supplied by the user, wherein the credential is 
associated with a user account and wherein the user account includes a user identifier 
that authenticates the user to each of the multiple services; 

associating a new credential provided by the user with the user account, 
wherein the new credential corresponds to the input capabilities of a device; and 

storing the new credential in a credential store for use in authenticating the 
user when the user provides the new credential for authentication. 

16. A method as defined in claim 15, wherein the act of validating a credential 
supplied by the user further comprises an act of locating a credential store where a master 
credential for the supplied credential is stored such that the supplied credential can be 
validated. 

17. A method as defined in claim 15, wherein the authentication system is a 
distributed system, wherein the act of associating a new credential provided by the user with 
the user account further comprises an act of symmetrically associating the new credential 
with the user account such that the user account is linked with the new credential. 
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18. A method as defined in claim 17, wherein the user account is cached with the 
new credential and wherein the user account and the new credential are not on the same 
store. 

19. A method as defined in claim 15, wherein the authentication system is a 
distributed system, wherein the act of associating a new credential provided by the user with 
the user account further comprises an act of asymmetrically associating the new credential 
with the user account through a primary credential, wherein the new credential is linked to 
the primary credential. 

20. A method as defined in claim 19, wherein the primary credential is cached 
with the new credential and wherein the primary credential and the new credential are not on 
the same store. 

21. A method as defined in claim 15, further comprising an act of the 
authentication system remembering which credential is supplied by the user such that a more 
secure credential may be supplied by the user if a service requires more security than is 
provided by the supplied credential. 
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22. In an environment including a user that accesses multiple services with one 
or more devices that have varying input capabilities, a method for an authentication system 
to authenticate the user to each of the multiple services, the method comprising the 
authentication system performing steps for: 

receiving an access credential from the user, wherein the access credential is 
associated with a user account that includes a user identifier and wherein the access 
credential has a security level; 

determining, from the access credential, a credential store that stores a master 
credentials that is used to validate the access credential; 
J5 validating the access credential at the credential store with the master 

credential; 

lj associating one or more new credentials with the user account such that the 

p 

user can be authenticated with both the access credential and the one or more new 
D credentials, wherein each of the one or more new credentials has a security level; 

remembering the access credential that was provided by the user; and 

13 

prompting the user for a secure credential that is more secure than the access 

w credential if the security level of the access credential is insufficient for a service 

& 
w 

^ 2 = being accessed by the user, wherein the service is provided with the security level of 

S 1 h « 1 1 both the access credential and the secure credential, but is not aware of either the 

Q § 1 3 8 6 access credential or the secure credential 

Sinn 
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23. A method as defined in claim 22, wherein the step for associating one or 
more new credentials with the user account further comprises a step for symmetrically 
associating the access credential and the one or more new credentials with the user account, 
wherein the user account is cached with each of the access credential and the one or more 
new credentials. 

24. A method as defined in claim 23 , wherein the step for associating one or 
more new credentials with the user account further comprises a step for asymmetrically 
associating the one or more new credentials with a primary credential, wherein the primary 
credential is associated with the user account and wherein the primary credential is cached 
with each of the one or more new credentials. 



25. A method as defined in claim 22, further comprising a step for automatically 
authenticating the user at different services after the user has been authenticated at a first 



service. 




credential when the device has substantially numerical input. 



26. 



A method as defined in claim 22, wherein the access credential is a numerical 
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27. In a system including a service that is accessed by a user from one or more 
devices with varying input capabilities, a computer program product for implementing a 
method for associating multiple credentials with a user account such that the user may be 
authenticated with any one of the multiple credentials, the computer program product 
comprising: 

a computer readable medium having computer readable instructions for 
performing the method, the method comprising acts of: 

receiving an authentication request at the authentication system from 
a device, wherein credentials of the user are included in the authentication 
request; 

validating the credentials provided by the user, wherein the 
credentials are associated with a user identifier; 

receiving new credentials from the user, wherein the new credentials 
are associated with a user identifier of the user; and 

storing the new credentials in a credential store of the authentication 
system such that the authentication system can authenticate the user to the 




authentication system is a distributed authentication system, wherein the act of receiving an 



authentication request at the authentication further comprises an act of determining where to 



28. A computer program product as defined in claim 27, wherein the 



service when the user provides any one of the multiple credentials.. 



send the credentials for validation. 
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29. A computer program product as defined in claim 28, wherein the act of 
determining where to send the credentials for validation uses a username of the credentials. 



30. A computer program product as defined in claim 27, wherein the act of 
receiving new credentials from the user further comprises an act of symmetrically 
associating the new credentials with a user identifier. 

31. A computer program product as defined in claim 30, wherein the act of 
symmetrically associating the new credential with a user identifier further comprises an act 

} 2[ of associating the new credentials with a user account. 

J 32. A computer program product as defined in claim 30, wherein the act of 

symmetrically associating the new credential with a user identifier further comprises an act 

I i of caching a copy of the user identifier with the new credential 

u 

:? 

33. A computer program product as defined in claim 27, wherein the act of 
w receiving new credentials from the user further comprises an act of asymmetrically 

i 

™ z. s associating the new credentials with a primary credential, wherein the primary credential is 
S i h § 1 1 stored in a primary store with the user identifier. 
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34. 



A computer program product as defined in claim 27, further comprising acts 



of: 

remembering which credential was received in the authentication request; and 
prompting the user for a more secure credential when the credentials received 
in the authentication request are not sufficient for the service. 
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35, In a system that includes multiple services that are accessed by a user over a 
network such as the Internet, wherein the user accesses the multiple services from one or 
more devices that have varying input capabilities, a computer program product for 
implementing a method for accessing a service from a device, the computer program 
product comprising: 

a computer readable medium having computer executable instructions for 
performing the method, the method comprising acts of: 

providing multiple credentials to an authentication service, wherein 
each of the multiple credentials is associated with a user account that is 
maintained by the authentication system; 

requesting access to a service using a device included in the one or 
more devices, wherein the service requires that the user be authenticated 
before access to the service is granted to the user, wherein the device is 
redirected to the authentication system; 

selecting an access credential to send to the authentication system 
from the multiple credentials and entering the access credential in the device; 




wherein the authentication response includes a user identifier that 



the authentication request includes the access credential selected by the user; 



authenticated request includes the user identifier such that access to the 



authenticates the user to the service if the access credential is validated; and 



receiving an authentication response from the authentication system, 



issuing an authentication request to an authentication system, wherein 



sending an authenticated request to the service, wherein the 



service is obtained. 
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36. A computer program product as defined in claim 35, wherein the act of 
selecting an access credential to send to an authentication system from multiple credentials 
further comprises an act of selecting the access credential according to an input capability of 
the device. 

37. A computer program product as defined in claim 36, wherein the access 
credential is a numerical credential when the device has numerical input. 

38. A computer program product as defined in claim 35, wherein the service 
requires a level of security, the method further comprising an act of providing a secure 
credential to the authentication system, wherein the secure credential is more secure than the 
access credential and wherein service is unaware of both the selected credential and the 
secure credential. 
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39. A computer program product as defined in claim 35, wherein the 
authentication system is a distributed system and wherein some of the multiple credentials 
are stored on different credential stores, wherein the act of providing multiple credentials to 
an authentication service further comprises one or more of: 

an act of symmetrically associating the multiple credentials with a user 
identifier, wherein the user identifier is cached with each of the multiple credentials; 
and 

an act of symmetrically associating the multiple credentials with a user 
account, wherein a user account is cached with each of the multiple credentials. 

40. A computer program product as defined in claim 35, wherein the 
authentication system is a distributed system and wherein some of the multiple credentials 
are stored on different credential stores, wherein the act of providing multiple credentials to 
an authentication service farther comprises an act of asymmetrically associating the multiple 

O credentials with a primary credential, wherein the user identifier is stored with the primary 

:f 

H credential. 
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